Week 3

Confidentiality

In this video you will learn

to describe what is meant by confidentiality in

the context of the CIA triad. In this video we're

going to talk about the key concepts on the

cybersecurity word, especially something related to a term that is commonly

known as the CIA triad. First, we need to understand that this three letters all means

everything in cybersecurity. The meaning of each

of these letters are actually this C for

confidentiality, I for integrity, and

A for availability. Confidentiality is

actually pretty simple. We deal with confidentiality

almost everyday, and it means that we're going to keep the data,

keep the system, keep our technology asset or technological assets

confidential, or prevent any disclosure of confidential data or confidential access

from this computer, this system, that document,

to non-authorized parties. For example, one

confidential data that we'd normally use are

our personal information, on not necessarily

all the people that we know needs to understand

or needs to know all the data that we

keep confidential on our computers and our cell phone

or something like that. So in order to implement

confidentiality in our work, in the cybersecurity ward, we normally use encryption. On encryption,

we're going to talk about encryption

in another video, but encryption means

that we are going to use a cipher in order to prevent any

confidential data to be exposed to the public

or to non-authorized. All the key elements

that allow us to implement confidentiality

are for example, authentication, access

control, physical security, things that will allow us to maintain any certain level

of restriction to our data, to our systems, to

our technology and our assets.

Integrity

In this video, you will

learn to Describe what is meant by Integrity and

the context of the CIA Triad. The other concept

that we are going to explore today its Integrity. Integrity is actually

something that is similar to confidentiality but there are some differences. For example, integrity is just
the principle that all the data, all

the information, all the systems that we are going to use are not modified, are not changed by

any system, by any user, by any person in the transit or in the meantime that we are going

to use that system. So, for example, if

we are going to send an email from our email client to our company's headquarters

saying that we are going to use system to access remotely

the computer of the client and we send on that email the VPN Software

that we are going to use. One of the key concepts that

integrity deals with is the importance that

the mail that we are going to send is not going

to be tampered, is not going to be

modified in the transit. So, basically integrity deals with the process that each of the pieces of the
information that we are going

to send that we are going to receive are

the original pieces. How can we implement, how can we use integrity in our company in

our Cybersecurity life? We normally use hashes. That concept, the hash concept

is a something important, it's something that we

are going to explore in some videos in the future, but in the meantime, the important part

of the hashes is explained that the

hash is an algorithm. Is a mathematical algorithm

that is going to create like a signature of

the file of the e-mail, of the data that we

are going to use. For example, and I'm just going to explore a couple

of things here. So, for example, if would go to, internet and let us go

to Google and we can go to, Hash Generator Online. Here, we could for example, go to the second link.
Here is the URL

Password Generator.NET, and here we could have gone to enter a password,

enter a text. Actually, we could add

something like secure password. This secure password, if we

generate a hash algorithm using the SHA256 algorithm

or mathematical encryption, we are going to

translate this word, the Security secure password word into these

numbers and letters. This information

actually if you use these secure word to login

into your, for example, into your e-mail account, if you go and try to instead

use the secure password, you use these string here, these letters and numbers, you are going to be

rejected by the system. But, in the cybersecurity word, these numbers, these keys, these letters and

numbers means that if somebody is going

to use these password, the signature, the hash will

be something like this. If for example that we change

the D for S for example, the hash will totally change. So, again if we

changed the S for D, the hash will be the same. So, this is a clear example
of what hash means. It is a procedure where the mathematical algorithm goes and generate the
signature for, in this case for a word but

we can generate the signature for a file or something like a document

something like that. Another example probably more clear example is

something like this. We could go to Kali.org, this is a Linux

distribution where used by normal Penetration

Masters to test security in the

enterprise environment. But if we go here and

we go to downloads, then download Kali Linux

we are going to see a lot of links to download

these Linux distribution. But one interesting part

here is this SHA256 Sum. This is the algorithm, this is the hash that

we need to validate, as soon as we download these Kali Linux light

version of Kali. So, for example, if we download this file and we start download

for example here in HTTP, the file will be downloaded. As soon as the

download is finish, we should actually go

to something like this, hash file online, e we could go to maybe

here, file calculator. In this case, we are going to use this site MD5 File.com

will allow us to drop files and generate algorithms

or the share results for these five

different algorithms. This means that for example, as soon as these download finish, if we upload the file
here into these online calculator

and we receive something different than

these number in that SHA256 Sum, the file probably will be

corrupted or the file suffers something in the transit between the Kali servers

and our computer. So, that is a clear example

of how we could use hashes in the real world, in the cybersecurity word.
Availability

In this video, you will learn

to describe what is meant by availability in

the context of the CIA triad. The last one it's

for availability. Availability means,

and actually we deal with availability every day, it means that any data should be available always

when it's needed. So a clear example of

a lack of availability is, do not have any kind of backups for our data for our systems. So what happens
when a cyber attack for

example occurs and somebody download ransomware in our network and all the

data from our computers, from our servers are

erased or are encrypted? Well, the easiest thing to do actually is go to our

backup and restore the data using

the last available backup available or using

the last backup that we have on our system, and restore everything,

and continue our life, continue our work as

nothing happened. But in some occasions, these processes storing a

backup or generating backups, it's something that is none neccesarilly common in

most of the enterprises. So some technical implementation

that we could use to implement or add availability in

our systems are rates. Rates are like this arrangement. These technologies use something that for
example will allow us to keep or to install

two, three, four, even naturally handle thousands of hard drives in our

servers in our systems, to backup or to add redundancy into our

servers for our data. So for example, if we have four different drives

in our file server, and OneDrive goes down because a mechanical part broken, well, it doesn't matter,
we have three different drives that has the same information and we could maintain

the access to our data. Clusters are technology

that allow us to maintain a different set

of servers working as one. So it's something

similar as rates, but on clusters we're not

the only with hard drives, we're dealing with servers. ISP redundancy

obviously something important or what

happens if we only have one Internet connection

to our company and something happened and that Internet

connection goes down, well, such important is in these days when we are using

a lot of things on Cloud, probably it's a good idea to

have an ex or a second ISP to have Internet in our company. Obviously backups, we already talked

about backups and are the important things that we

need to keep in mind as soon as we work with backups

and restore data.

Non – Repudiation

In this video, you will learn

to describe what is meant by Non-Repudiation and how

it applies to the CIA Triad. Another key term that we need to understand is something

called Non-Repudiation. Non-Repudiation is pretty simple. It's actually about the proof

that the identity of the data sender or

the data receiver is not modify, is not altered. Not even on the transit, but in the origin of the data. So
for example, how could

we use something or how could we implement

some technology that will allow us to understand. If somebody send an e-mail, that person is

actually that person, is not an attacker from another country trying to impersonate the person

that sent the e-mail. So that's something that we normally implement with

digital signatures. Obviously, for example,

this specific scenario, if we go to our mail server, we could also go to the

logs and see if somebody, for example, if

Kenneth send an e-mail to his boss saying that he quit. So if there is no locks, if there is no
digital signature on the receiver side that says that Kenneth

send this e-mail, that should be something

important to keep in mind for the

Non-Repudiation concept. So as soon as Kenneth's boss goes to Kenneth's

office and says, "Hey, are you really

quitting here?" That's something that this now Kenneth could

say like, "Hey, no. I'm actually not

sending those e-mails. Somebody is trying

to impersonate." So that's something that we're going to talk

about in the future, how could we use encryption, how could we use our public key infrastructure to
generate digital signatures, and how could we understand

logs in different systems. But at this moment, it's important to understand this concept, the

Non-Repudiation concept.

Access Management

In this video, you will learn to describe various methods of ensuring effective

access management to an organizations

computing resources. So we're going to go

over some key concepts. Now we're going to talk

about authorization. Authorization is the process of allowing somebody to

access a specific object. There are different type

of criteria. You could restrict

access by groups, by time frame or specific dates, also by physical location

or transaction type. What this means

basically we can do, it could allow in this case

subjects or people to access objects or files or directory

based on specific groups. For example, the administrator

group will have access to more data than

for example somebody on a different group

such as maybe a financial person in a different group like a financial group or

something like that. You can also restrict

access by time frame mean from eight to five people

can access deleted files, but any attempt to

access those files outside those time frames

will be denied. Also specific date, let's

say Monday to Friday, those will be the date that the people working on set will be allowed to access
those files. You can also restrict

the access to a specific objects or files of actions again

by physical location. So for example, you want

people only located in the USA to access

those files or you want people only outside

the USA to access this type of files or

a specific information. You can also restrict the access

through transactions. You don't want people to write on specific files or

maybe you want people to be able to read those files. We need to talk about

Need to Know as well. The Need to Know is

the justification for somebody to request

access to a specific data. If my specific job or my job duties require

me to know something and maybe that will be the justification for me to have access to a specific files

and directories. In all of this, is basically a centralized on something

that's called Single Sign-on. It's a very what you

use on enterprises. What this does is you

basically you login once and the Single Sign-on

will allow you access to websites or to different parts

with just a single one time login process. There are some

authentication concepts that we need to understand. First of all, it's

the identity proofs. On most systems they will ask you for an identity and
authentication. To put an example, the username will be your identity proof. That's something that

identifies you and only you. But after identifying

yourself you need to authenticate that you are actually who you

are saying you are. Basically that's done

through the password, so the password will give

you authentication and your username will give

you identification. Kerberos it's a protocol used

for implementing cosine on. There are some mutual

authentication like CHAP, these are some type of authentication processes that are used to
communicate to systems. They are rely on a [inaudible]. More specifically

in active directory we have something called Security ID and this basically it's a unique ID given

to objects and subjects. We mean it's an ID

that identifies a person and also it's able to identify

an object meaning, for example, a specific group

or a specific file. Most of the operating

systems that we know use Discretionary

Access Controls, basically the Discretionary

Access Control is a type of access

control that allows the users to give access to their own data to

whomever they want. Meaning if I have a text file

or a sensitive data, I'm responsible for who is allowed to view and edit

that file because it's my file and it's

discretionary to me to give that access to anyone

that I want to.

Incident Response

In this video, you will learn to

describe the management process of incident response,

how it is implemented, and why it is important to

an overall security schema. >> In this video, we are going to

talk about the incident response. Incident response is a process,

is a management process or a managed process that most of

today's companies are dealing with. It's actually something really really

important because it will understand or it will generate information about our

incidents, about events or errors or even attacks that computer networks or

networks at all are suffering. So, this means that as soon as somebody or

something happen in our network that is not normal,

that is not expected by the SIS admin or by anyone in the company,

it will generate an incident. So, how could we take that incident, how could we take that event and

try to understand what happened? How could we prevent any new incident

in the future or how could we restore the service or the data or the computer or

the network as soon as possible? All of those concepts

are incident management. Obviously there is a lot of things, and we're going to talk

about those things now. So, basically there is some key components

on the incident management process. First of all, it's important to

understand what is an event. An event obviously could be something

that is not normal, something that is not part of the normal

behavior of the network or normal behavior of the company,

but that actually is an incident. We're going to talk about

incident in a couple of minutes. But right now an event could be something

that changed the normal behavior of the system, could be something that could

be programmed or not is something that change what is the normal process on the

company, on the network, on the computer. Or it will be something that,

for example, something like access control is update or

a firewall policy was push it or was update by someone in the company or

logging event into the server, it could be something normal,

it could be something expected or not. But normally, and the common criteria here is something

that changed the normal behavior or changed the normal process in the company

in the system, in the computer. Now we have the incident. The incident is the negative

part of the event. So, for example,

if somebody goes logging to the server and update the ACL, that's an event. That event could be
generated or could be something that is suspected

because there is a ticket that says that, hey, the system administrator

needs to go to the server and update the ACL in order

to grant access to some part of the network or in order to grant

access to the VPN user or something that. But what happens if somebody detects

that someone goes to the server, change the ACL, and disable or deny all the access to the servers in

the company from the external network? So nobody from the Internet,

nobody from the external network of the company can access the servers,

that is an incident. So it's something that will negatively

impact the confidentiality,the integrity and the availability

of secreting the organization. Normally those incidents impact

the business in so different ways. So, for example, could impact

the normal service of the, company, could impact the legal part of

the company, could impact the operational part of the company,

the financial part of the company, okay? Now to deal with the incident,

we have the response team. The response team, commonly known as

the CCERT, is the team that will, first of all, in some occasions,

identify the bridge, identify the incident,

where the will process to resolve the incident and resolve the issue

that we are having right now. So, for example, if somebody

goes to the server, disable and far will pull the site and nobody from the
external network can access the internal network, then our response team will

try to fix that firewall policy and try to restore the access to

the internal network of the company. Now, one important part of the response

team is the investigation process. They need to understand what happened,

they need to collect evidence, they need to maintain the chain of custody

of that process, of that event, of that incident in order to understand why this

incident happened, who formed the action, and what they need to do in the future to

prevent these incidents to happen again. So, that's the quick explanation

of what events, incidents, and response team and investigation means

in the incident management universe.

Key Concepts – Incident Response

In this video, you will learn

to describe the key concepts of incident response,

including e-discovery, use of automated systems,

business continuity planning and disaster recovery,

post-incident activities. >> There are some key concepts

that we need to understand now. So first, the e-discovery process is

something really, really important. We need to have our baseline

regarding technologies in systems and assets that we are going to use

in our systems, in our companies. So the e-discovery process will

allow us to get the current status of all the data, all of the systems,

all the information that we are dealing with in our computers,

in our systems, in our network. Also will allow us to understand how could

we control the data retention period and the backups of that data. Not necessarily data, but

we could also understand things like, for example, if this system,

it's important if we have this system that deals with the payroll on monthly basis,

is this really important? Do we need to care about

the data retention here? Do we need to care about the backup? Do we need to care about the restore

of this system in case of any incident happen? So that's important process,

that e-discovery process. Then we have automated systems. We have a lot of things right

now in our current environments. We have SIEMs like Splunk,

QRadar, ArcSight. We have user behavior analytics. We have big data analysis. We have honeypots and
honeytokens,

artificial intelligence. We have a lot of things. Why we have a lot of things? Because we have a lot of
assets,

so we have a lot of data. If we only have one computer in our

company, probably it will be easy for the response team to understand

why an incident happened, how could we restore the service affected,

and why this incident is happening again and

again and again. But what about if we have 1,000 computer, 100 servers,

10 different routers and systems? We need to correlate. We need to centralize all the data

generated by those systems and generate ports,

generate useful data on that system. And more importantly,

generate incidence or generate automated incident

alerts that could allow us or could alert the incident response

team that something has happened, even before the user or

the company was affected by that incident. We have BCP and disaster recovery. BCP means business
continuity plan. And disaster recovery is

something similar, but we are going to talk about

the main differences. The business continuity

process is a whole process, a whole plan that we need to implement

in our company in order to prevent or in order to actually guide,

not just the incident response team, but guide all the organization

as soon as something happen. What happen when service was affected? That service won't be available
for the external users until the next three,

four hours. How our company will deal with that. How the systems or
how the IT department will deal with that. How the client service department will deal with all the calls
that they are going to receive from different

people outside to the organization. And disaster recovery actually is

the process that we need to implement or we need to follow in order to be able

to recover all the different areas if a disaster occurs. By the term disaster, it doesn't

necessarily mean that we are going to be affected by a hurricane or

by a tornado or something like that. It could be something like a cyber

attack that will destroy all the data in our data center. How could we go and

recover everything from our data center? How could we restore everything? And the process that we
need to implement,

not just to recover that, but also to inform the authorities,

to inform the CEO of the company or inform to the public that we are going

to have a service disrupted because we have an incident that

happened in our data center. And obviously, the last term that we

are going to explore is the post-incident. This post-incident is, well,

as soon as everything goes okay, as soon as we recover everything,

as soon as the service is now up and running, what this incident happened? What is the rootcause of this
incident? Who did the attack, for example? Who implement or who make the changes? Understand
what is

the difference between an error, what is the difference a problem, and what

is the difference between an incident. So the important part here is an error. It's something that happen
on the system

because somebody make an error. So for example, if you go to the finance

system and you type your bank account. And instead of your bank account,

you type your name and you hit Enter and the system crash because of that. That's probably an error
because

the system handle poorly the input of the user into a key,

into a text box. A problem, it's a number of errors

that normally generates a problem. So if you detect that and

you do update the system and you implement a patch to

fix that input error. But what happen if you

detect that somebody or another user goes into another

part of the system, and again, instead of numbers,

they put letters and the system crash? Well, that could be a problem. The system could have a problem

on the input validation side. And it's isolated since then could be

something that, well, it happened once. We still don't know why it happened,

but as soon as the user put numbers or put letters instead of numbers,

the system crashed. But if we go and

try to replicate the error, we try to replicate the same behavior,

nothing happen. So that could be an isolated incident. The thing is we need to understand,

we need to investigate and we need to fully understand analysis

all the different types of errors, problems and

incidents that we detect on our systems. But we need to understand what

is an error, what is a problem, and what is an isolated incident. And the next part of the post-incident

concept is, well, lessons learned, and the reports that we could generate

from those errors, problems and incidents in order to understand,

in order to learn what happened. How could we prevent those events? And what happen if those

events happen again? How could we restore the service

as soon as possible?

Incident Response Process

In this video, you

will learn to describe the cybersecurity

incident response processes and the three phases of Prepare, Respond, and Follow Up. How could we
deal with the cybersecurity

incident process? This is something

that came from Crest. Crest actually is

good organization that will have a lot of certifications or a lot of information regarding

cybersecurity. They summarize the cybersecurity

incident process in three different phases. The first is Prepare, then we have Respond, and the last one
is Follow Up. On that first phase, you will need to

understand if you have the e-discovery process. In other words, you will need to understand what kind
of

systems you are dealing with. If you have electronical data, do you have that

electronical data classify or do you have something important

to worry about? Do you have controls? Do you have administrative, or technical, or physical controls to
protect your assets? Do you have, for example, a business impact analysis

that will allow you to understand what happens if

a certain system goes down? How much money you will lose? How much time you will lose or your
operation

for example. As soon as you have

all the information in your hand or as soon as

you have all the data, you could start dealing

with the incident. So first of all,

in the phase two, you will need to identify what is the

cybersecurity incident. So for example, if

somebody came here into your office and leave

a USB key on your desk, and you grab the USB key and

plug it into your computer, and you download a malware into your computer that's probably

a security incident. But if somebody goes

and, for example, crash a window in your building

because throw a rock, that's probably not

a security incident. Well, it's a security incident but not a cybersecurity incident. So the way that you

are going to deal with the cybersecurity

incident will be different than the way that you are dealing with

another kind of security or another kind of incident in your organization. Then, you will need to start or
trigger the business

recovery plan. Probably, you will

need to trigger the business continuity plan if the incident may require that. But the last part is decision
of help taking about, on the past incident or

the investigation phase, and that's actually

the follow up. You'll need to

investigate the incident. Why the incident happened? If the incident

will happen again, how you will deal

with the incident? What are the best controls

that you could implement in order to prevent the

incident not to happen again? So there is a lot of

things that you could do on the follow-up other than it's important to

understand or do in the follow up phase is

the trend analysis. So for example, you

know that somebody in your organization

grabbed a USB key and plugged into a computer in

the internal network and a malware goes through all of your network and infect

a lot of computer. So probably, it's a trend. If somebody again goes and leave USB keys on

the parking lot, for example, what

is the probability, what is the trend

that a lot of people, a lot of your users will

grab the same USB key, we'll go and plug the USB key

into your computer? So in order to understand

that kind of activity, that kind of behavior

will be a trend, do you have to probably

perform a lot of interviews? You will have to go and

grab enough evidence, as we mentioned on

the investigation phase, and create a case. Create a business case, create a process

to create a plan. One of the outcomes of that plan probably will be

a security awareness program. So that's basically the phases of the cyber

incident response plan, cyber incident response process. Something good if you

want to understand a little bit better how

a security incident could harm your organization is this data breach calculator

that we have here in IBM. Actually, let's go real

quick into this link. You go here and open this link. You will get something like this. Actually, it's pretty
simple. You just need to select here. For example, what country

you are living or the cybersecurity

incident will be happening? What kind of industry

are you dealing with? For example, we could deal with the pharmaceutical industry. Some of things that
you

already implemented or you don't have on

your organization. For example, you

could say that you have an artificial

intelligence platform. You have actually not done

a classification schema. You have employee training. As soon as I start adding

new things into this factors, the number or the cost of the cybersecurity

incident will low. As soon as I start

clicking on the factors and the related factors friom the link here from

the box that I have, the cybersecurity

incident will be higher, the cost will be higher. Then, here, we have the

normalized statistics about how, based again on our location, the average time to identify

a cybersecurity breach, data breach, for example. The top three costs for this in factors for mitigating

data security breaches. So obviously, the proof line

is incident response. Then, we have a lot of the use of encryption technologies

in our data in our systems and obviously, the employee training process. On the next slide, we have a
couple of links also. If you prefer to understand the cybersecurity incident

process using a mini-map, you could go to those links. Those are actually pretty good but you'll have a
lot

of information here. You'll see a lot of things and probably will be overwhelming

to understand these, but that's actually pretty cool. You will have here

a lot of phases, a lot of steps that you will need to perform

as soon as you start dealing with that

cybersecurity incident response. So for example, here on

the step number three, this is the step

that you may need to follow on the initial

response process. So the first step, on the initial response,

for example, is this item has the system and network

administrator in place. The business personnel,

examining the logs, the reports, the architecture. You should have, for example, an information
gathering

for the system. Understand the incident

that you are dealing with, understand the system that

you are dealing with in order to start working with

the response teams, start working with the people.

Introduction to OWASP

In this video, you will learn to describe the purpose

of frameworks, baselines, and best practices in an effective

cybersecurity strategy. The last part of the session is frameworks and their purposes. We're going to talk

about frameworks, we're going to talk

about best practices. Here are just a good

differentiation between best practices, baseline, frameworks,

normative, and compliance. So in the organization, we will have a lot of things, we will have, for

example, best practices, we will have a baseline or

we will have framework. A good example of

framework is COBIT or a good example

of best practices, in some cases,

framework depends of your business is I-T-I-L, ITIL. So those are good things, good controls that will
improve, enhance your IT governance, your IT processes, your IT

policies, your IT procedures. Those frameworks,

those baselines, those best practices will improve the performance

of your servers. For example, if you go and grab the best practices

for Microsoft regarding the hardening of their database server

for example, you will have a best

Microsoft SQL Server, you will have an improved

Microsoft SQL Server. But that best practice, that framework it's not something that you

will have to have, it's nice to have. You will have a lot

of good practices, you will have a lot of controls, you will have a lot

of good things, but if you don't

have it, that's it. That's something that will not necessarily

harm your business. If you don't have guidelines from Microsoft to implement

the servers, if you don't have the guidelines from Cisco to implement

the physical devices, if you don't have

the best practices from COBIT to improve your IP

governance in your company, you will loose your business, you will be part of

many kind of problem with your regulator,

with your government. In the other corner, we have normative and compliance. The difference here is
you

need to implement normative, you need to have compliance if your business

required that. So for example, there is

something called HIPAA. HIPAA is normative

that will be part of any kind of health care

company in United States. So in your health care company, you could have COBIT, you could have a lot

of ITIL processes, you could have

all the best practices from your burn vendors

implemented in your systems, but if you don't

comply with HIPAA, if you missed two points, if you missed

two processes in HIPAA, probably you won't

operate in United States. You will have penalties from the US government because you are not
complying with HIPAA. So that's the main difference

between baselines, frameworks, and best practices, and normative, and compliance. So as we
mentioned, we have a lot of things, we have, for example, as

best practices, as frameworks, methodologies that we could implement in our business

to improve the way that our business fills with technology and

we could mention, actually, we already

mentioned a couple of those. We could mention COBIT, we can mention ITIL, ISOs. Cyber Security we
have the ISOs 27,000

series, we have COSO, we have the PMI, the Project Management

Institute with a lot of project

management methodologies, we have the developer

recommendations. As soon as you start working with a programming languages, which you will have a
lot

of recommendations, you will have a lot

of information regarding the best practices

that you could follow on your software in your systems to avoid any kind of

security incidents, any kind of incident

that will harm or will destroy your software.

IT Governance Process

In this video, you will learn to describe what is meant by

an IT governance process, what components are involved

and why it is important. We have the things

that are part of our organization to put our

something good to have. Good to understand and well, it's good to have but

in most of the cases, aren't necessarily to have. We have strategic

and tactic plans. That plans which set

all the direction of the organization or the structure of each of the departments. Each department will
try to obtain the goals using

the strategic plan, because the strategic plan

will tell you what is the cause of the company. If the company wants

to grow for example 20 percent in the next two years

selling computers, well, probably older departments

inside our company needs to focus their efforts to

accomplish that strategic goal. The tactic plans are how could we accomplish the strategic part. So those
two plans

are hand by hand. So that's also important

to understand. Policies are actually

pretty important. You will need to have

a policy to set the baseline, to set the structure of

buses that you want to have. So for example, here

is a quick sample. You have your business internet

access for your users. So first thing that

you have to have or you have to have or

you need to have actually, is the policy. How the users will

access the internet, what their users can do and

cannot do on their internet. So a user Internet

policy should be in place for let the users know what they cannot do

and what they can do. Now there is a procedure, a procedure is for example what a new user should do

in-order to have internet. So it doesn't matter

at this point. For example, you need a

procedure if the users can't go to a sports website

and watch a game. But the procedure,

this scenario will allow the user to request internet access to

the IT expert for example. As soon as the user has

perhaps internet access, the user will probably

prompt to read the Internet usage

policy and the user will need to accept the policy in order to get internet access. That's something that
we

normally use or we normally experiment on the public

internet access locations. So for example if

you go to Starbucks and your are trying to use the Internet

access from Starbucks, as soon as you connect

to your Wi-Fi network, you will receive a captive portal with a lot of information, a lot of data that says
in other words that

all the information, all the data that you

are going to send using that Wi-Fi connection will not have any responsible

of responsibility in that. So that's a quick example of what is a policy and

what is a procedure. The procedure is again, the process that you need to follow in order to

have something, in order to perform something. The policy is simply the rules that you will

need to understand, that you will need to accept to start using your computer, your Internet, your
device. Governance, governance

is the understanding of all the different parts of the organization

with one unique goal. So for example, copied

is a good framework that allows your

company to improve their IT governance into

your organization because all the different parts of your organization will

talk the same language. So for example, if somebody in accounting needs a modification on the payroll
system

because they fund a buck, they know that if they want a modification in

the system they will need to therefore go to their internet and

create ticket number, create an incident case. That incident will go to the IPA staff and

the IPA staff will prioritize the incident into the queue to be treated

by the experts, that's something actually

pretty centered. But everything that I mentioned, it's part of the IT

governance process. That may correspond to

a change management process, to a delivery and support

process from your IPA staff. That's a good example of how your accounting department that probably
doesn't have anything

to do with technology, needs to understand and talk

the same language that your IT department in order to all departments have

the same goals.

Cybersecurity, Compliance and audit overview

In this video, you

will learn to describe which compliance policies

most organizations are required to follow, described the use of audits

in cybersecurity compliance. We go to compliance.

Here's a quick example of couple of regulation

or compliance policies that most of the organizations in the United States or in

other parts of the world need to have or to implement in order to

operate certain countries. So for example we have SOX. SOX is a financial compliance or financial

regulation program. HIPPA, we already

mentioned HIPPA. It's something related

to healthcare, how the healthcare or

organizations deal with the privacy of data of

their patients, for example, how they transmit the data

between hospitals, different healthcare

organizations and for example, if they transmit the information in a secure way for example. GLBA is
something

related to finance. PCI/DSS, these are related to the manage of credit cards

of financial processes. So if you want, for example, to start processing

credit cards on your servers because you

have an online store, probably you will need

to comply with PCI/DSS. Normally, a lot of companies

that deals with PCI/DSS, it's to perform, for example, Panthers or [inaudible]

assessment on regular basis for them to comply with PCI/DSS. So here's just examples

for their compliance. One of the last part

that are important to u/nderstand is the main difference between the process that

any organization could perform in order to identify if they are compliant with

a certain regulation or a certain framework that

they want to implement. One of the things that they

need to perform is an audit. Now an audit could be an internal audit or it

could be an external audit. The internal audit is obviously performed by

internal departments, by internal audit department and that's something normal with

most of the organizations. That's a continuing process, that's something that

is normally performed during all the year,

during audit life-cycle. But the difference here is normally the internal

departments will generate reports but those reports are necessarily to improve the

operation of the organization. The external audits are

normally based on requirements. So for example, if

you want to comply with PCI DSS you will need to hire an external audit company

to generate a report and understand in which of the PCI DSS part you

are not complying, or if you are complying in

all that PCI DSS parts, while the external company will let you know on the report

that you are able or you can go now and apply for

a PCI DSS certification or process to be a part

of or to start dealing with credit

cards for example. Now here is a methodology which you could use in

your audit projects for example. Basically these processes could apply for external

and internal audits, but are actually pretty

simple with three phases. But inside each of the phases, you will have a bunch of steps and again this is

something to standard. So it not necessarily means

that the same methodology will be applied or will be valid for

all the organization. But this is just the baseline. So on phase one, you will have to understand

the organization view, you will need to understand the organization that

you are dealing with, you will need to identify

the key players, the key users for example

of system in motive to start looking for any finding, any incident or issue that you may report in

your final audit report. Also you will need

to create a profile, you will need to create

a threat profile. For example if you are

auditing a software, you will need to understand well, this is a web-based software and one of the
threats that

the software could have, is cross-site scripting attack. So it doesn't mean that

the software that you are auditing right now is prone to or have an issue regarding

cross-site scripting. But that's something that in phase number two and

phase number three, you will need to assess and

you will need to identify. So again if you know that you

are dealing with a web page or the web software will be prone to a cross-site

scripting attack. On phase number two, you will need to evaluate, you will need to

understand and you will need to debt or probably interview to the creators

of software and ask if they are already perform any kind of

app for example, Security Review on

the web system, on the web application

and the results of the review will have something regarding

cross-site scripting. If there is any security review

for that web system, probably you will need

to create your own test, your own assessment or you

will need to inform on your report that

this software doesn't have any security review. That will guarantee

that is truthful for example and the last part is the risk assessment.

The risk analysis. That process will translate all your findings in
your audit report, into a risk. This could be on the example that we are talking about

the cross-site scripting, if you detect that

the organization is not performing any security

assessment and you don't have any widths or any evidence

that will let you know that, yes, this software is not

prone to cross-site scripting. Well. You need to categorize

that finding into a risk. Is this a high risk

for your organization? Well. If your business depends on that web system

probably it's a high-risk, probably it's a critical risk. So you will need to understand, you will need to
translate

those findings into risk.

Pentest Process and Mile 2 CPTE Training

In this video, you will learn to; describe a penetration

testing process, Mile-2 CPTE training, and what is meant

by ethical hacking. Part of this session is

the penetration testing process. The penetration testing phases that in the audit

we just understand, for example, that we don't

have the web system. We don't have any assessment

yet to understand or to review if the system is prone to cross-site scripting. Well, on that pentesting site,
we will go and we will test the cross-site

scripting into the system. We will act like an attacker, like in a hacker, and try to explore the system, try
to perform

the cross-site scripting and understand what happens. Understand if the system is prone to cross-site
scripting. Well, let's simulate,

let's attack the system, let's generate

the cross-site scripting attack into the system, and let's see what happened. Let's see if the system, let
me send a message to a user, and let me, through the user, to go to an external

website and try to hack the user's computer, try to hack the system. So basically,
the penetration testing or the ethical hacking

process this is just methodology used by Mile-2, is a vendor that has a lot of cybersecurity

certification, but this is just a basic

and the standard process. So you will need to footprinting your target on the same target that we have
the web

application program. We will need to

understand first of all, what kind of system

we are dealing with, if this is a web

system or dealing with the WordPress platform, we're dealing with

a customized platform, we're dealing with

HTML5 platform. The scanning planning process

will let us know or in the Pentester view, we'll give the Pentester the knowledge to understand

if there is any port open. What is the operative system of the web server application? What is the
language? What is the database that the web application

is reporting to? On the enumeration, we will understand any kind

of techniques, any kind of processes that

we are going to generate, that we're going to use

for the access system. Obviously, we have the

exploitation or penetration part, and these means that we're

going to perform the attacks. We're going to generate

get the attacks. If we understand that we are dealing with

a WordPress platform, and the WordPress platform is in a server in

the internal network and the same WordPress platform prompts to a SQL

injection attack, and we could get the information

for the database. Well, let's generate the attack, let's create the attack

and see what happen. If the attack was successful, we will have to perform

a set of steps. For example, we could

elevate the privilege, we could manipulated the data. We need to cover our tracks. For example, we
don't want for that CSEC to detect

our steps in the system. So probably, we will need

to cover our tracks. We will have to leave a backdoor. For example, we will want to come back later to
the system, and we don't want to perform

any of the previous steps. We just want to go

and double-click on the LinkIn in our Desktop and

get access to the system, then we will need to

leave a backdoor. Those processes, those steps, we'll understand or will give us an understanding that
the

system is prone to attacks, and not just prone to attack but the system will have

or will deal with attacks in a way

that will give the attacker the full control

of the system, or will block the attack and will drop all the connections

from the attacker computer. So that process, the pentest process

is normally known as an offensive security scan, is something that you will

need to act like an attacker, you will need to act as a hacker and perform

attacks into systems. Obviously, you will need

to have permission from your client in order to proceed

with these kind of test. But on the audit, the important part here is understand that if you

will perform an audit, this is not necessarily

a pentest or a pentest is not

necessarily an audit. So there is a lot of differences, there is a lot of things that you will keep in mind in
order to perform each of both or

each of the processes, each of the techniques that

we show you in the session.

OWASP

In this video, you will learn to describe the OWASP

Top 10 tests, when and why they are used, and where to get help from

outside organizations. Another methodology,

another best practice that most of the web

applications need to follow, here is the OWASP Top 10 process. So if you're dealing

with a webpage, if you're dealing

with web application, if you are dealing with actually not necessarily

a web application, but if you are dealing

with applications at all, you could use the OWASP Top 10, and it start performing test

of each of the sections that the organization will

have on their website. So basically OWASP, we will see here a lot of

information on OWASP. If you go to Google and put

OWASP on the search bar, you will go to the

owasp.org link, and you will get a lot

of information regarding these organization

that will help you when you are trying

to perform a test into your web application. Actually, there is also a lot of information for

mobile applications too. So for example, if

you go to download, you will see a lot

of categories here. So for example, let's go to the OWASP Top 10 project here. You will see that the top
10 for 2017, it's now available. So here you will load the report with all the different

information for the top 10 vulnerability

for the web applications on the last 2-3 years since 2017. So for example, we have as

the Number 1 injection. So if we go to page Number 7, here is an example of

what is injection? What is the process to

get information for the system using

SQL injection for example? What are the attackers scenarios? What is that you need to perform in the
system in order to know if your system is prompt or is vulnerable

to injection? You have, for example,

broken authentication, sensitive data exposure, you have a lot of things to prove. Again, if you go to

the main website, you will see a lot of

the OWASP or something else known as the checklist. It's a document where you

will get a lot of document, a lot of controls that you

will need to implement, you will need to have on

your web applications in order to ensure that your web app is fully secure.